The UAE Telecommunications Regulatory Authority (TRA) has published a new policy regulating services and devices associated with the Internet of Things (IoT Policy). The IoT Policy's introduction reflects a growing regional trend to regulate specific market sectors and technologies in response to their increasing prevalence and perceived risks they present.
Internet of Things (IoT) refers to the growing network of inanimate objects connected to the Internet, including devices as diverse as home electrical appliances, thermostats, gas meters and vending machines. Also referred to as “machine-to-machine” or "M2M," IoT technology promises transformative economic benefits in two distinct ways – as an industry vertical which uses the technology to amass data and thereby conduct superior analytics; and as a horizontal industry enabler which can be adopted across industries to allow for the smarter use of infrastructure, improved efficiency and growth of new business segments.
The TRA has only recently published the IoT Policy on their website, although it is dated 22 March 2018. Accordingly, the one-year grace period provided to IoT service providers has already expired and compliance with the requirements of the IoT Policy is now mandatory. Some of the key requirements are as follows:
- Registration: All IoT service providers are required to obtain an IoT Service Registration Certificate from the TRA, in addition to the existing type approval. This also applies to offshore service providers offering IoT services to UAE-based customers.
- Onshore representation: IoT service providers must have a local presence in the UAE or an official representative in the UAE who can liaise with the TRA on their behalf.
- Data protection: The IoT Policy requires compliance with data protection concepts adopted from the European data protection regime, namely: data minimisation obligations; limitations on the purpose for which data can be used; and the obligation to put in place minimum security requirements for the protection of data captured.
- Data localisation: Certain data of government entities are required to be kept within the geographic boundaries of the UAE (e.g., “Secret, Sensitive and Confidential” data). Other categories of data may be transferred overseas provided certain minimum criteria are satisfied.
- IoT connectivity: IoT service providers who provide “connectivity” for IoT ecosystems over a "wide area" using the Public Switched Telecommunications Network (PSTN) are obliged to notify the TRA of those activities in advance so that the TRA can take a view on whether or not those activities should be regulated under the IoT Policy. This could in theory capture providers of applications designed to interact with and manage the data collected from IoT-enabled devices.
Although the IoT Policy has only been made publicly available recently, compliance is now required. Failure to do so may result in penalties being levied by the TRA under the UAE Telecoms Law. IoT service providers operating in the UAE should assess their activities and take steps as necessary to meet the compliance requirements as set out by the IoT Policy.
For future updates and other resources, you can visit and subscribe to our Middle East Insights blog.
To speak to us in relation to technology and data privacy issues in the UAE and Middle East, please feel free to contact one of the lawyers listed on this client alert or your usual Baker McKenzie contact.